Phishing Attacks Prompt Oxford University To Block Google Docs

Fed up with a spate of phishing attacks, the IT team at Oxford University temporarily blocked Google Docs in an attempt to alleviate the problem. The university also criticized the search engine giant's antiphishing measures, saying it takes too long for Google to stop attacks.

The unusual step was quickly reversed after it began disrupting too many legitimate Google services.

The IT department said all its users receive security awareness training but, with tens of thousands of users on its system, a few had responded to the phishing attempts, causing a ripple effect of problems. The incidents also impacted Oxford's reputation with external email services such as Hotmail and Gmail, wrote Robin Stevens of OxCERT, the university's network security team, on the University Computing Services blog. Hotmail rejected all mail from the university over a period of many days due to a high proportion of the university mail being marked as spam.

"The recent attacks have often seen us dealing with several account compromises within a short length of time," Stevens wrote. "Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already compromised university account to large numbers of other Oxford users."

The temporary disruption lasted for about two and a half hours last week. Stevens said the restrictions were removed due to the disruption caused by the action and an assessment of the phishing attack threat.

"It is fair to say that the impact on legitimate business was greater than anticipated, in part owing to the tight integration of Google Docs into other Google services," Stevens said.

Stevens said it is difficult to filter through links to Google Docs, which use SSL for encryption. Phishing messages that get through must be reported to Google, which can take days or weeks to take down the phony Web forms.

Stevens said the university is investigating possible technical measures to help mitigate the problem and reduce the impact on legitimate network usage. The IT team also will pressure Google to be more responsive when a phishing attack has been identified via Google Docs.

"Google's persistent failures to put a halt to criminal abuse of their systems in a timely manner is having severe consequences for us, and for many other institutions," he wrote.

A Google spokesperson told CRN that the company is actively working to protect users from phishing attempts.

"Using Google Docs, or any of our products, for distribution or coordination of phishing is a violation of our product policies, and we will remove any forms or disable accounts discovered to be used for these purposes," the spokesperson said. "Users can report suspicious forms by clicking 'Report Abuse' at the bottom of any form."

Spammers have been latching on to Google Docs for years. In 2008, spammers set up Google Docs accounts to store spam images and links, using the storage capacity and high bandwidth provided by Google. The Web-based document writer, editor and spreadsheet program is also popular in university environments and an easy lure in phishing attacks.

The number of phishing attacks in 2012 was 59 percent higher than 2011 and global losses were estimated at $1.5 billion last year, according to a recent phishing report issued by RSA, The Security Division of EMC. The hardest-hit countries included the U.K., the U.S., Canada, Brazil and South Africa.

Phishing is one of the oldest online scams remaining popular with cybercriminals because so many users still fall for it, RSA said in the report. Malware writers help service phishers, creating custom-written specialty kits with phony log-in pages of U.S. and U.K.-based banks.

"The forecast outlook for 2013 calls for yet another record year riddled with hundreds of thousands of phishing attacks worldwide," the RSA report noted.